DNS Server BIND: Danger from Proof-of-Concept Exploit for Security Vulnerability
In the DNS server BIND, three security vulnerabilities have been discovered. A public proof-of-concept makes attacks more likely.
(Image: amgun/ Shutterstock.com)
The DNS server BIND has three vulnerabilities that the Internet Systems Consortium (ISC), which develops the software, reported last week. A now-emerged proof-of-concept exploit (PoC) demonstrates the abuse of one of the security leaks. It is high time for administrators to update the BIND servers they manage to the latest version.
The Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) is now also warning about this (BSI) in a document. The PoC attacks a high-risk vulnerability, which “could allow an unauthenticated attacker to manipulate DNS entries through cache poisoning and thus redirect internet traffic arbitrarily” (CVE-2025-40778, CVSS 8.6, Risk “high”). The ISC discusses in its vulnerability report states that “under certain circumstances, BIND is too lenient when accepting records from responses, allowing an attacker to inject forged data into the cache.” So far, no active attacks on the vulnerability are known.
Two More Security Leaks in BIND
In addition to this security vulnerability, for which a PoC even exists, ISC has closed two more with software updates. Another also enables cache poisoning, which stems from a weakness in the random number generator (PRNG, pseudo-random number generator). Attackers could thus predict the source port and query ID that BIND will use (CVE-2025-40780, CVSS 8.6, Risk “high”). The third vulnerability allows malicious actors to overload the CPU with carefully crafted DNSKEY entries -- a denial-of-service vulnerability (CVE-2025-8677, CVSS 7.5, Risk “high”).
Videos by heise
Updating to versions BIND 9.18.41, 9.20.15, or 9.21.14 or newer corrects the security-relevant errors in the DNS server. IT managers should update to the version most closely related to their own, writes ISC. BSI explains in its warning: “According to the Internet Intelligence Platform Censys, over 700,000 BIND DNS servers worldwide are running a version vulnerable to the vulnerability, with nearly 40,000 of them in Germany alone.” It therefore recommends: “IT security managers should check the patch levels on operated BIND DNS servers as quickly as possible and, if necessary, install the available updates.”
BIND is a fairly mature software. Most recently, a security vulnerability in it was discovered in early 2024 -- it was nicknamed “KeyTrap” and caused a denial-of-service.
(dmk)
